Logs in Dominic-Wagner/vaultwarden collection are not getting parsed

Hello community
I want to secure my vaultwarden with crowdsec because it’s awesome.
I have already installed vaultwarden in docker and it’s alreasy logging like this:

cat /var/log/vaultwarden/vaultwarden.log

[2024-04-03 18:44:08.371][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 185.16.53.93. Username: dfgdfgdf@gmail.com.
[2024-04-03 18:44:09.346][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 185.16.53.93. Username: dfgdfgdf@gmail.com.
[2024-04-03 18:44:10.290][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 185.16.53.93. Username: dfgdfgdf@gmail.com.

Looks great but crowdsec is doing nothing. The acquis.yaml looks like this

#Generated acquisition file - wizard.sh (service: ssh) / files : 
journalctl_filter:
 - _SYSTEMD_UNIT=ssh.service
labels:
  type: syslog
---
filenames:
 - /var/log/vaultwarden/vaultwarden.log
labels:
  type: Vaultwarden

cscli metris looks like this:

image1044×443 10.8 KB

I already tried to bruteforce myself but after 10 retries vaultwarden says

[2024-04-03 18:44:18.027][vaultwarden::ratelimit][ERROR] Too many login requests

But crowdsec is doing nothing

root@Test:~# cscli decisions list
No active decisions

cscli explain

    ├ s00-raw
    |       ├ 🔴 crowdsecurity/syslog-logs
    |       └ 🟢 crowdsecurity/non-syslog (+5 ~8)
    ├ s01-parse
    |       ├ 🔴 crowdsecurity/sshd-logs
    |       └ 🟢 Dominic-Wagner/vaultwarden-logs (+11 ~2)
    ├ s02-enrich
    |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
    |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
    |       └ 🟢 crowdsecurity/whitelists (unchanged)
    ├-------- parser success 🟢
    ├ Scenarios
            ├ 🟢 Dominic-Wagner/vaultwarden-bf
            └ 🟢 Dominic-Wagner/vaultwarden-bf_user-enum

Any ideas what i am doing wrong?
Thanks for your help!

Most likely the parsing is working as shown by the explain. Your just properly just slow to trigger it manually by typing the scenario tries to detect automated bruteforce attempts.

Vaultwarden has implement a self brute force detection which is not parsed by us, you can lower the capacity of the scenario to see if it improves detection by manually typing.

Thank you for your answer.
How can I test if my crowdsec is protecting vaultwarden than?
I already use crowdsec with authelia and there manual triggering worked fine for testing.

Well the logs are already being monitored, how are you exposing vaultwarden to the internet?

I am exposing vaultwarden over a nginx proxy manager.

Then you would either need to use a custom implementation of nginx proxy manager with our remediation component or use the firewall remediation but if you use something like cloudflare then the former is the way to go

My idea was to install the bouncer on the nginx proxy virtual machine. On the other virtual machines crowdsec should parse the logs and send to the nginx crowdsec to block the ip before the proxy forwards them. Is this the right way i am trying? Or are you meaning something different?

Yes that is correct but the official nginx proxy manager does not support CrowdSec

Ok but is the proxy the reason why crowdsec is not detecting ah bruteforce at my vaultwarden?
If manual trigger is to slow how can I test my configuration?

No, the proxy just wont enforce decision that are made, the parsing is working just either your too slow to manually trigger it OR vault warden has it own defensives which stops us from hitting the threshold as vaultwarden is lower than ours

You can add your ip via cscli decisions add --ip <your_wan> but most likely your setup wont do anything because you dont have any remediation components Introduction | CrowdSec

Oh yeah i tried a bruteforce with some code and it worked

image1405×79 4.3 KB

Thank you very much